Title: Fuzzy MLS: An Experiment on Quantified Risk-Adaptive Access Control

The goal of this paper is to present a new model for, or rather a new way of thinking of adap- tive, risk-based access control. Our basic premise is that there is always inherent uncertainty in access control decisions and such uncertainty leads to unpredictable risk that should be quantified and addressed in an explicit way. The ability to quantify risk makes it possible to treat risk as countable resource. This enables the use of economic principles to manage this resource with the goal of achieving the optimal utilization of risk, i.e, allocate risk in a manner that optimizes the risk vs. benefit tradeoff. We choose to expand the well known and practiced Bell-Lapadula multi-level security (MLS) access control model as a proof-of-concept case study for our basic premise. The resulting access control model is more like a Fuzzy Logic control system than a traditional access control system and hence the name "Fuzzy MLS".

Title: Countermeasures against government-scale monetary forgeries

Despite cryptographic breakthroughs in the area of digital cash and the rapid advance of information technology, physical cash remains the dominant currency: it is easy to use and its exchanges are largely independent of computing devices. However, physical cash is vulnerable to rising threats, such as large-scale, government-mandated forgeries, that digital cash may protect against more effectively. In this talk, I sketch a couple of mechanisms to combine physical cash with digital cash, to remove their respective shortcomings and obtain their combined advantages. I further try to foster discussion on the economic cost of forgeries, and on its impact on the different defensive strategies that we can consider.

(Joint work with Alessandro Acquisti, Bryan Parno, and Adrian Perrig.)

Title: Network formation, Sybil Attacks & Reputation Systems

We propose a model of network formation in peer-to-peer networks, that allows us to observe their suseptibility to sybil attacks against rout- ing security. Peers try to selfishly fulfill their communication needs, by connecting directly to communication partners (`friends') or indirectly through stranger nodes. We assess the strategies nodes will follow de- pending on the topology of the friendship graphs, and the number of links nodes are allowed. We show that it is common to connect to friends, there- fore automatically foiling exogenous attacks. A roadmap of further work, including realistic networks, adversaries and using reputation systems is discussed.

Internet Security, Vulnerability Disclosure, and Software Provision

Vulnerabilities are a major concern in software markets, since attackers that exploit them can cause substantial damages.Software security is a serious concern for vendors, consumers, and regulators. When vulnerabilities are discovered ex-post, i.e., after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects consumers who install updates. But not all consumers install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. This increases the probability of attack in which unprotected consumers will suffer damage. The paper considers a setting in which a software vendor faces such a dilemma. Prices, market shares, and profits depend on the disclosure policy of the firm. The paper analyzes the market outcome and compares it to the socially optimal disclosure policy. It also examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities as well as a firm's incentive to invest in reducing the number of vulnerabilities ex-ante and/or identifying them ex-post.

Title: Vulnerability Hunters: Surveying Participants in a Poorly Understood Labor Market

Each year thousands of vulnerabilities are discovered and reported in deployed software and web applications. Researchers have made great strides in categorizing and understanding the nature of these vulnerabilities. However, little is known about the researchers who invest valuable time and effort into finding software vulnerabilities. What motivates them? How do they select products to investigate? Under what conditions are they willing to wait to publish vulnerabilities so that vendors have time to issue patches? In this talk, I will describe an ongoing project to survey vulnerability researchers for answers to these questions.

Title: Competing with Free: The Impact of Movie Broadcasts on DVD Sales & Internet Piracy

Movie studios have long believed that the presence of home recording technology significantly damages the marketability of movies broadcast on free television. This issue has gained renewed importance recently with the advent of high-definition digital television, causing the movie studios to argue that unless copy protection is included in digital television standards, it will no longer be profitable for them to show movies through unprotected over-the-air broadcast channels. Their concern is that digital transmission standards and personal video recorders will allow consumers and pirates to make perfect digital copies of movie broadcasts, resulting in increased piracy and reduced demand for DVDs.

We empirically analyze these concerns and find that the dominant impact of movie broadcasts is to stimulate DVD sales. DVD sales increase by an average of 345-399% immediately after a movie is shown on broadcast TV. These sales gains are approximately four times larger than sales gains from cable broadcasts. We also find that the availability of pirated material on popular BitTorrent trackers at the time of broadcast does not lead to lower sales gains relative to movies without readily available pirated copies. Finally, we find that greater differentiation between the broadcast version of the movie and the DVD version leads to higher increases in DVD sales. In general our results suggest that relatively small amounts of differentiation can be sufficient to allow free information goods to serve as complements to purchased copies of the same information good.

Title:Incentive-Centered Design for Information Security

Humans are "smart components" in a system, but cannot be directly programmed to perform; rather, their autonomy must be respected as a design constraint and incentives provided to induce desired behavior. Sometimes these incentives are properly aligned, and the humans don't represent a vulnerability. But often, a misalignment of incentives causes a weakness in the system that can be exploited by clever attackers. Incentive-centered design tools help us understand these problems, and provide design principles to alleviate them. We describe incentive centered design and some tools it provides. We provide a number of examples of security problems for which Incentive Centered Design might be helpful. We elaborate with a general screening model that offers strong design principles for a class of security problems.